Re: Dynamic IP log retention = 0?

From: Ross (no email)
Date: Thu Mar 12 2009 - 03:25:16 EDT

  • Next message: Brett Watson: "Re: Dynamic IP log retention = 0?"

    How did a simple thread about network scanning get so derailed....we have
    people talking about the legal implications of port scanning, hiring
    lawyers to go after ISPs, talking to the fbi, the benefits/downfalls of
    NAT as a security policy, etc. Wow just wow.

    I'll try to answer you in a more common sense approach as some have tried
    to do. First of all no network operator has to hand over their logs or
    user information over to you just because you want to know. You can ask
    their abuse department to intervene but that is all up to that department.
    They may have told you they don't have them just because they didn't want
    you pestering them anymore or they may really not have them, who knows.
    Don't try to judge them but try to fix this very minute problem in a way
    you can control.

    The ways you can control this are simple.

    1) Block all of covad (not very smart)
    2) Block all of covad except for essential ports (25,80,443 or whatever
    other common ports they may need)
    3) Setup a perimeter protection that blocks hosts that are scanning you
    and removes them after a determined amount of time

    This trying to shun people in public because they aren't following your
    guide to network administration probably isn't going to work very well for
    you. If 65000 covad addresses were ddosing you then I would agree that you
    have a legitimate gripe but focus on what you can control and not what you
    believe others should be doing.

    ross [at]
    >  	I've been nudging an operator at Covad about a handful of hosts from his
    > DHCP pool that have been attacking - relentlessly port scanning - our
    > assets.
    > I've been informed by this individual that there's "no way" to determine
    > which
    > customer had that address at the times I list in my logs - even though
    > these
    > logs are sent within 48 hours of the incidents.
    >  	The operator advised that I block the specific IP's that are attacking
    > us at my perimeter. When I mentioned the fact that blocking individual
    > addresses
    > will only be as effective as the length of lease for that DHCP pool I get
    > the
    > email equivalent of a shrug.
    >  	"Well, maybe you want to ban our entire /15 at your perimeter..."
    >  	I'm reluctant to ban over 65,000 hosts as my staff have colleagues
    > all over the continental US with whom they communicate regularly.
    >  	I realize these are tough times and that large ISP's may trim abuse team
    > budgets before other things, but to have NO MECHANISM to audit who has
    > what
    > address at any given time kinda blows my mind.
    >  	Does one have to get to the level of a subpoena before abuse teams pull
    > out the tools they need to make such a determination? Or am I naive enough
    > to
    > think port scans are as important to them as they are to me on the
    > receiving
    > end?
    > --
    > ********************************************************************
    > Brett Charbeneau, GSEC Gold, GCIH Gold
    > Network Administrator
    > Williamsburg Regional Library
    > 7770 Croaker Road
    > Williamsburg, VA 23188-7064
    > (757)259-4044
    > (757)259-4079 (fax)    
    > ********************************************************************

  • Next message: Brett Watson: "Re: Dynamic IP log retention = 0?"

    Hosted Email Solutions

    Invaluement Anti-Spam DNSBLs

    Powered By FreeBSD   Powered By FreeBSD